This blog contains information regarding Hikvision IP camera/NVR firmware vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.
Update October 29, 2021
15:00 | The majority of the Hikvision cameras are susceptible to a critical unauthenticated remote code execution vulnerability. This permits an attacker to gain full control of the device.
A firmware update was made available on the 19th of September, fixing the vulnerability. However, an increase in public attention was noticed, due to a proof on concept being publicly released. This will increase the likelihood of the vulnerability actively being exploited in the wild.
Hikvision camera systems are also sold under different brands. These systems may use the same firmware and are therefore potentially also vulnerable. There are no details with regards to these products available. It is advised to check for updates for your camera system.
Our advice is to check if any of your products is listed and apply the required firmware update as soon as possible. If the camera systems can’t be updated, it’s recommended to limit inbound network connections.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
The vulnerability CVE-2021-36260 allows a remote attacker to gain full control over the camera. The main risk is access of the camera being used as a steppingstone into gaining access to the rest of the IT-infrastructure. Additionally, the camera(s) can be used in a botnet or to watch physical locations.
Hikvision has published a firmware update to resolve the vulnerability. It’s recommended to install the firmware update as soon as possible. This is a patch-now vulnerability, as a proof of concept has been released.
The vulnerability has a CVSS-score of 9.8. The CVSS scale runs for 0 till 10. A score of 9.8 or higher is rare and implies a high risk of exploiting with a high impact.
The vulnerability allows an attacker to add a line to the /etc/passwd file via a vulnerability which likely exists in the web component of the camera. This allows the attacker to create their own user account, with all privileges and a shell of choice. Camera systems with the interface exposed to attackers (e.g. directly connected to the internet) are vulnerable for exploitation.
Hikvision has published an article that lists the affected products and versions. The advice is to check whether you are using these products and to install the available firmware update as soon as possible.
The article can be found here.
Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.